Welcome to the Power Users community on Codidact!
Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.
Synchronize OTP across multiple devices
A lot of sites these days use OTP. I'm not very familiar with this, but you normally install an app like Google Authenticator on your phone. The app serves an OTP code on demand which you enter along with your user/pass into the website's login form.
For something like this, I really dislike using software from proprietary vendors. Ideally it should be something as open as possible.
Also, with many of these apps, it seems like your phone is the single point of failure. Maybe some people consider their phone very precious, but for me this is a concern - I might lose my phone, I might reinstall the OS, I don't really want to create a situation where losing access to my phone means also means losing access to my bank account.
Is there an OTP solution I can use, where my "account" can be synchronized across devices (Android, Linux PC) so that for example when a website asks me for the OTP code, I have the option of generating that from my phone as well as my computer?
2 answers
You are accessing this answer with a direct link, so it's being shown above all other answers regardless of its score. You can return to the normal view.
The QR code for Time-based one-time passwords (TOTP) just contains some secret info[1] to seed the TOTP app.[2] You can dump it into another implementation of TOTP. The seed and the current time will predictably create the same rotating value at the same time.
On the website where you're configuring MFA, find the button or link that says "I don't want to use a QR code." You should be able to take the secret data and enter it somewhere else. Most decent password managers have a place for a TOTP seed.
If you add it everywhere you need it when you first set up TOTP, any of those devices will work as the second factor. You can confirm that they all show the same value at the same time. Obviously, that seed is really important to keep safe. Anyone with that data has your second-factor.
You at least have a couple options for open-source alternatives, though cross-platform, open-source, and dedicated authenticators is a very, very small pool of options. This list is therefore mixed with some other alternatives:
-
Aegis; android-only, and doesn't quite support sync. However, it does let you export significantly more easily for backup and multi-device use, so you can store it in whatever other places you feel comfortable with.
This only addresses backups and not losing access to your accounts, however. You can also in theory export it to a dedicated desktop authenticator, though as per option 2 and 3, you may have other alternatives that don't require 2+ different authenticators and manual synchronisation.
-
Bitwarden; cross-platform and cross-browser, but there are some caveats.
First, you either need premium (10 dollars per year; quite affordable really), or you need to self-host it. You can either self-host the official version, or this unofficial version designed to be easier and lighter to self-host.
Second, this is more of a controversial option. Not because of Bitwarden itself, but because it's also a password manager. If you use it as both an authenticator and a password manager, the argument goes that keeping passwords and 2FA together weakens the security benefit of 2FA; if someone breaches the password manager with your authenticator, the attacker gets your passwords and your 2FA codes in one go.
Arguments in favour include that you may already have 2FA and passwords together on your phone, so if someone steals your phone, they get both, and that the benefit of having a secure syncing backup outweighs the risks. The arguments boil down to the reality of the real-world vs. the theoretical steps for max security, and what level of risk you're willing to accept. As that post outlines, there's also a trick you can take if you plan to store passwords alongside 2FA secrets. If you're willing to accept this tradeoff (which I personally am, FWIW), Bitwarden is an option, and it does sync your 2FA tokens. It also lets you export your entire vault if you want an extra backup.
This post from the Bitwarden forums is also a good read on the topic.
-
Ente Auth; cross-platform and dedicated authenticator. The only thing I'm not clear on here is precisely how the sync works, i.e. whether or not the 2FA secrets are also stored in the cloud for backup, or if you need at least one device to operate. The E2EE branding makes it hard to tell if it's P2P mediated by a central server, or if a copy is stored in an encrypted form on a server that only the end-devices can decrypt. I've only heard this one mentioned in passing, so I haven't tried it myself.
Not sure if it makes a practical difference, but something to keep in mind if you plan to look into it.
It's also worth noting that Aegis is capable of importing from google authenticator. Ente Auth is supposed to be able to as well, but if anything is flaky, Aegis is pretty reliable with specifically the import. If you're considering Bitwarden, you will need to use Aegis or some other way to extract secret keys from the Google Auth-specific QR codes. Aegis also lets you export the secrets directly, so you can copy them out manually into whatever else you end up using.
When I migrated away from Google Authenticator, it was incredibly tedious to export stuff out of it. IIRC, the export format differs from the TOTP standard, so you need special support to import it.
Regardless of what you end up using, Aegis can at least be one step in letting you properly move away from Google Authenticator without having to manually set up every single 2FA thing from scratch if the thing you switch to doesn't let you import directly.
0 comment threads